Categories

Experts Explain: Hidden Backdoors

This is the fourth part in a series of posts here at StopTheHacker where we describe the various methods that malicious hackers use to infect benign and legitimate websites with web-malware.

In this article we will discuss one of the most common attack methods used to infect benign websites: Hidden backdoor shells. This particular compromise is similar to having a spy inside an organization. The spy can do many activities without anyone noticing.

Using backdoor shells allows hackers to access compromised sites repeatedly Using these already compromised sites as a forward base to launch attacks and infect more websites is an old trick, but it is still very prevalent.

We will cover the topic of backdoor shells, how to protect yourself and your website from this kind of an attack, and best practice strategies to avoid compromise.

What is a Backdoor Shell?
A backdoor shell is a type of computer software that is placed into the hosting account without the knowledge or permission of the website owner. This software is usually packaged as a standalone file and contains commands usually written in PHP (a computer programming language).

The backdoor shell allows malicious hackers to connect to compromised websites at their convenience. It’s like having a sleeper agent inside an organization that you can wake up whenever you want want and make them do bad things on your behalf. These backdoor shells can be used to infect webpages, use a compromised hosting account to send out spam email, install phishing pages and, unfortunately, much more.

Why were these shells developed?
The backdoor shells were initially developed for debugging, testing and security research purposes. For example, consider the popular backdoor shell: phpshell. This software was written completely in PHP and is stand alone (needing no support from any installation process). Once placed on a website, an admin can use it to check disk space, folder contents, and even check more details on the hosting account.

However, these shells are also used by security researchers to test whether they can access internal systems and infrastructure via the shell. Unfortunately, malicious hackers also enjoy the flexibility and power provided by these shells and now use them in a prolific manner to infect websites.

How are these shells used by malicious hackers?
Malicious hackers install these backdoor shells by first exploiting a vulnerability on a website (usually via an application vulnerability like XSS or SQL injection) or by using stolen FTP credentials.

Once these shells are installed (often hidden deep within randomly named sub-directories of a hosting account), it becomes tricky to find and delete them. Only the malicious hacker knows the exact URL with which they can access the hidden backdoor shell and can navigate to it by means of a simple web browser. They can use the shell to execute commands to check files or modify them, for example, at any time.

What do these shells look like?
We present some examples of some of the most common shells (c99, c100, r57) below. Notice that all of them allow fine grained control over the hosting account that has been compromised.

c99 shell

r57 shell

c100 shell

As you can see, for each of these shells, the malicious hacker has complete control over many functions of a hosting account. They can list files, modify them, install software, and launch attacks to exploit the hosting account to do whatever they would like.

How can I identify the existence of these shells?
These shells can be identified by virtue of the functionality they expose to the malicious hackers. For example, if you search for strings like “c99shell”, “pre-release”, “uname-a”, or “safe-mode” in the files present on your hosting account, you will find these malicious files.

How to detect if your site is vulnerable?
Find out if your website is sending spam or phishing emails, or participating in the distribution of malware on the Internet. You should check your website domain name on spam and phishing databases like Spamcop and Phishtank to identify if your website has been reported. You should also identify if your website is showing malware to your visitors. These are often the tale signs of a backdoor shell on your hosting account.

Remember that malicious hackers can exploit vulnerabilities on your website to install backdoor shells if application level security holes such as SQL injection or Cross Site Scripting issues are present.

Conclusion
Backdoor shells are a common vector for malicious hackers to exploit and infect websites. We have seen what these shells are, how they are used by malicious hackers, and how to protect your website.

StopTheHacker.com customers have access to resources and services that protect them against these kind of threats and help them recover from compromises should they occur. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.